Posted
by
Zonk
on Friday November 24, 2006 @11:53AM
from the new-badge-wearer-in-town dept.

eldavojohn writes "Software giant Microsoft is helping the law track down and find phishers and political borders are no boundary for them. From the article, 'One court case in Turkey has already led to a 2.5-year prison sentence for a so-called "phisher" in Turkey, and another four cases against teenagers have been settled out of court, Microsoft said on Wednesday, eight months after it announced the launch of a Global Phishing Enforcement Initiative in March.' This initiative started back in March and has resulted in 129 lawsuits in Europe & the Middle East. Perhaps their legions of lawyers will come to some use for the rest of us but teenagers settling out of court? That reeks of RIAA/MPAA tactics to me."

I'm really personally torn on this. I mean, on one hand, I hate spam and I hate all kinds of computer related scams. I feel that a lot of good ideas (like e-mail) risk death at the hands of these attacks. That said, I welcome all efforts to take care of this.

However, I would be a lot happier if the law took care of this. You know, if Microsoft would give every police district across the world free software, tools and maybe even hardware to catch these guys, that would be the safest route--leave it to the law to take care of these matters. But what I fear is that local police just don't have the time and resources to track these guys down. And, on top of that, law enforcement here in the states might find an illegal or rogue server in another country and have no way within their jurisdiction to follow the case across the boarders. That and in some locations, cops are crooked or they don't see the problem of phishing to have any tangible victims.

So while there's a lot of good reasons for Microsoft to do this, I still feel a tiny bit afraid that an already very powerful company is becoming a lot more powerful by gaining international recognition as a crime buster.

So, if you'll entertain me and let my tin-foil hat imagination run wild for a second, say that BitTorrent becomes illegal to use under some country X's laws. Now, I live in country Y (across the world) and I use BitTorrent to retrieve Linux DVD distro images. Microsoft somehow monitors this through my operating system and brings a trial against me in country X. I don't even live there but now I have to go there and defend a lawsuit in that country? That would be a horrible outcome.

Another fear of mine has already occurred... that Microsoft offers out of court settlements from these individuals & personally profits from them. I would assume that amount is trivial to Microsoft & I would want Microsoft to punish these people to the extent of the law where they live. It would also be nice to see Microsoft turn around and donate any money earned towards anti-phishing and anti-spam initiatives.

In the end, I really don't think this is the answer to the problem of spam & phishing. I submitted this story in hopes that there'd be some good debate about where the responsibilities of stopping phishing attacks should lie.

I think what people are really torn about is that (1) people really, really loathe spammers and phishers, and want to see them lose(2) people really, really loathe Microsoft, and don't want to see them win... so who do we root for? It's like the tagline for Alien vs. Predator: "No matter who wins, we all lose". Is there an option 3, where both Microsoft and phishers lose?

No if you RTFA you will see that microsoft assists law enforcement with what it deems to be criminal cases, whereas what it deems to be "teenage hackers" it brings civil cases, and it seems from the article that many of these settle out of court.

As far as I am concerned this is vigilante justice. Just as citizens have no business enforcing the law, neither do coporations.

Microsoft's actions are the equivalent of citizens beating up paedophiles. Whether or not its for a good cause it is completely unacceptable behaviour.

Vigilante justice refers to private citizens making up and enforcing their own law. Microsoft is working within the legal system of each country to bring this about. You are off base here.

If you object to MS getting involved at all, fine. I think for once MS is showing some decent behaviour in criminally targetting large scammers and just slapping down dumb teenagers.

Isn't this the company which everyone derides for NOT playing by legal rules? Now you are unhappy when they do and even show some restraint?/. does not need to invent the devil - - it has already found one.

Vigilante justice refers to private citizens making up and enforcing their own law. Microsoft is working within the legal system of each country to bring this about.

But there is a problem if law enforcement depends heavily on Microsofts assistance. Then Microsoft has become an integral part of the justice system, not only by executing limited law enforcement tasks (as in the case with labs etcetera working as sub-contractors), but in a position where they have the power to chose which cases should be en

Law enforcement has always required assistance from the public/society. If you report crime, you're assisting the police by describing what happened, making a statement, giving evidence in court etc. MS is doing exactly the same thing here.

If you report a crime and the police aren't interested (as they don't think its actually a criminal act) then you can bring a civil case instead and MS are doing this with the lesser offences.

Don't you see that there is a difference between passively reporting a crime you have witnessed and actively conducting you own investigations? The law enforcement certainly shouldn't require others to do their investigations. Sure, the police can disregard crimes that I report, but they better be able to find the criminals I don't report by themselves. Also, depending on the public/society in general is different from depending on a single organisation with its own special interests.

You'd have to be asleep for the past 10 years to not know that crime is absolutely out of control online, in the forms of phishing, spam, kiddie porn, etc. No law enforcement agency on the planet is able to do anything to stop it: All we get is one high profile case every 6 months or so on the major media in some kind of pathetic attempt to show that the law enforcement agencies are on top of it. I think that in this case, law enforcement needs all the help they can get. Sure, everybody is still entitled

I was in the porn industry until recently. Pedophiles are actively shunned by the mainstream porn community. In fact, the main stream porn industry regularly reports these people to gov't agencies. I know that I have personally, tipped off the FBI countless times about kiddie porn. There's a lot of it out there.

So while there's a lot of good reasons for Microsoft to do this, I still feel a tiny bit afraid that an already very powerful company is becoming a lot more powerful by gaining international recognition as a crime buster.

And once they have achieved a good reputation as a crime buster they go after people violating M$ patents - voice of the public opinion: "Fine, these bastards who steal IP deserve that!".

I understand your comments. This is something that I think is scary. The worst part is that I do not know why it is so scary.

You think companies like citibank, wells fargo, BOA, and 5/3rd bank and others who are the ones be defamed would go after these people with uzis. I think the phish people need to be punished, and terrorized.

W
Does M$ really have altruistic motives? Where will money be made here. I am more worried about positive political feedback (i.e. bribes) for this 'free' service.

The money comes from them trying to keep their operating system "safe" for consumers. While consumers don't know and probably don't care that most phishing e-mails come from compromised Windows systems, consumers will eventually associate "windows == spam". The less spam that large e-mail servers have to serve, the less congested Windows servers will be, and the less likely they will be to go through a large-scale conversion to Linux (or any other platform other than Exchange/AD).I applaud Microsoft's effor

This quote, in relation to the raid by the Sweedish government, from TPB legal site sums it up brilliantly:

Just some stats...... here are some reasons why TPB is down sometimes - and how long it usually takes to fix: Tiamo gets *very* drunk and then something crashes: 4 days
Anakata gets a really bad cold and noone is around: 7 days
The US and Swedish gov. forces the police to steal our servers: 3 days.. yawn.

In other words, if somone in another country sues you under law X, and you live and operate i

However, I would be a lot happier if the law took care of this. You know, if Microsoft would give every police district across the world free software, tools and maybe even hardware to catch these guys, that would be the safest route--leave it to the law to take care of these matters.

The issue at hand is identity theft, the police won't prosecute for crimes like this any more than if someone searched through your garbage looking for personal information. The victim has to bring the case himself.

I have absolutely zero problem with Microsoft filing suit against those phishers.

> the police won't prosecute for crimes...
> The victim has to bring the case himself.
Are you sure on that? I wonder who brought those cases for murder.

The difference between murder and stealing your bank details is that you can give me your bank details legally, you can't give me your life legally. (and suicide is illegal, believe it or not)
Im other words, when I break into your apartment and steal your WII, you can forgive me.

> You know, if Microsoft would give every police district across the world> free software, tools and maybe even hardware to catch these guysHardware and software are not the key things most police forces are lacking in pursuing white-color crime perpetrated via the internet. The key things most police forces are lacking for this are training, manpower, jurisdiction, and training.

Throwing hardware and software at the problem would be like throwing money at the problems in the education system. It's v

Well, that's what we hope they're guilty of doing. How many teenagers do you know that set up and run phishing sites by themselves? Sounds like these are kids taking the fall for other people.

This is nothing at all like the MPAA/RIAA using extortionary tactics to go after low level copyright infringement.

It's the phrase "teenagers settling out of court" that worries me. It's not necessarily that their motives are impure just that their tactics are kind of dirty. As in, we-probably-can't-pin-this-on-you-so-we'll-force-y ou-to-settle-out-of-court. I really don't like that, if you bring a suit against someone in the name of the public, I'd like it to be seen through to the end even if the person doesn't have the money for the lawyers (another possible problem with this prosecution).

Exactly. By bringing a civil suit for EU2000, MS can essentially act as accusor and judge. There's no way the teenager (guilty or otherwise) can afford to fight it, and even if they can, it'll cost them more than EU2000 for a defense. So they're punished just because Microsoft makes them a target, and no objective examination of the evidence is ever made.

It's also hard to see how one could be a phisher _without_ criminal intent, so I question what Microsoft is really up to here.

How many teenagers do you know that set up and run phishing sites by themselves?

Actually, if you read some of the phishing come-ons, even allowing for English not being the native language of the author, there's a certain adolescent simplicity to a lot of them. Many of the attempts I've seen were clearly made by unsophisticated minds - they reek of script-kiddieness.

this is David from Microsoft's anti-phishing global initiative. I have evidence that little Johnny has been working with the Russian mafia to obtain identify credentials from internet connected computers across the world. If you do not pay us $2000 by return (click this link - htps://123.456.88.12/paypal.com?id=123234 - to pay saecurely online now) and avoid any legal prosecution.

How many teenagers do you know that set up and run phishing sites by themselves? Sounds like these are kids taking the fall for other people.

I don't know about phishing sites, but teenagers have often been involved in computer-crime cases.

For example, there's Sven Jaschan [wikipedia.org], who was 18 years old when he was arrested in conjunction with writing the NetSky and Sasser worms. There's also Ehud Tenenbaum [wikipedia.org], who was also 18 years at the time he was arrested for hacking into various Pentagon and Knesset computer systems. Chad Davis [wikipedia.org] spent time in prison for hacking into the White House and U.S. Army web sites. He was 19. And of course there's Adrian Lamo [wikipedia.org], w

There are very few instances where individuals under the age of 18 in *ANY* country are brought to trial as adults, therefore, settling out of court is an acceptable option. This certainly isn't a "we probably can't pin this on you" thing, it's a we can bring your parents up on these charges (because they *ARE* responsible for their children's actions until they reach adulthood) or we can settle this and save you and your family a lot of grief.

I would, if that's what was happening in this case. It certainly is NOT what is happening in this case. They're helping out Keystone Kops in this case. They're not prosecuting anybody. They're working within the system.

If you want to get your panties in a bunch over corporations being involved in law enforcement, then you should read a bit more. You should know that many prisons in the United States, are in fact, run by private corporations [aca.org]. THAT is a "corporation acting as law enforcement". MS helping cops to track down phishers is not.

I would think it far stranger to hear that Microsoft was proactively suing people who targeted other companies. After all, I'm sure every MSFT stock owner would love to hear their company was spending money protecting Google, Yahoo, eBay, and [insert-your-bank-name-here].

When Microsoft has made itself "indispensible" to the world's (mostly underfunded) police the way it's made itself "indispensible" to the world's businesses, Microsoft will have more power to get the world's police "see things it's way". That means prioritizing, say, software piracy over, say, security holes. The cops in the street won't have much to say about the priorities, but their bosses at the top of their national law enforcement will "rebalance" their priorities to accommodate Microsoft's roles in their budgets and operations.

It's like bottom-up lobbying. Where our rights meet the people who protect them. Brought to you by Microsoft.

So wait, Microsoft is suing people who tries to steal your credit card number and they're wrong? Actually, they're only suing pages that try to resemble to MSN/hotmail and that try to steal passport passwords. So suing people that makes your company look like burglars is wrong?

I'm surprised you didn't accuse Microsoft of paying all those physers to set up their site just to sue them later and look like they're fighting crime. It'd have been a good end for your sci-fi relate.

Suing people is one thing. Direct operational work with the police, like the RIAA/MPAA raids to which the summary referred, is quite another thing. A bad thing. It starts to put some of the government's power to arrest into the hands of corporations. Which governments have already done with the RIAA/MPAA.It's not Microsoft's job to "fight crime", not in person. It can fight crime by suing, by offering technical support to police investigations, expert witnesses. Most importantly, by closing security holes (

So, elect local and state officials that will put enough budget behind your law enforcement agencies to make such support irrelevent. I doubt that will have much impact on where most of the phishing originates, though, which is overseas. By the way, if you think for a moment that companies like Motorola or General Motors or Ford or Taser don't have just as much of sell-to, but also be-generous-and-supportive-to relationship with city

US cops aren't underfunded - not their operating budgets, anyway. Their salary budget varies, but I don't know of any that are anything but overfunded. That's not including pensions, the real benefits for cops who survive (practically all) to collect them. To be clear, I'm not comparing the salaries to the value of cops putting their wellbeing on the line when facing violent criminals every day to protect us. I'm comparing their budgets to the costs of their operations.I'm talking about cops outside the US,

If Republicans had kept control of Congress this month, so Cheney was still Bush's main babysitter (instead of the return of James Baker), we'd surely have been sending more "troops" to Iraq, if only to give McCain something to run on. But we'd still have too few military to do so, and not even Rangel's symbolic draft bill to kick around. So we'd be spending even more money we don't have (deficit spending is possible where troop shortages aren't) on more mercenaries, outfitted by Halliburton. Enforcing what

I agree, and I'm glad to.OT: while I've got a German with whom I seem to be able to communicate fairly well, would you mind commenting on a discussion I'm watching in a totally different discussion site [dailykos.com]?

Are you familiar with the term "jerry-rigged", an americanism meaning "poor quality, complicated, hasty construction without sensible design from inappropriate materials"? Do you think it insults Germans? I'm sorry if it does and if repeating it might have insulted you, but I think it is an insult, and I'd l

No I am not familiar (beyond my skills of the idiom). But the explanation you give reminded me of American cars (no insult intended either - and this I wrote before being aware of the jerry-semantics).

As I do not know the term - and must only infer that "jerry" somehow refers to Germans (looked it up meanwhile and found that it is German soldier) - I feel I cannot be insulted (and I guess that there are very few of "us Germans" who know the term). On top of it, it may be the appropriate te

I have. I used "jury-rigged" myself, which has more resonance with my sense of "design by committee", than with "jerry", which has no resonance at all, except an archaic ethnic slur. That apparently (at least some) German people wouldn't even recognize.

Most of the cases were Microsoft simply providing evidence to local authorities, who themselves prosecute the scumbags. In the small number of cases where Microsoft is directly taking action (on behalf of little-guy victims everywhere), I'm actually surprised it isn't Citibank and other colossals pummeling these dirtbags into the ground.

Comparing this to the RIAA cases? Give me a break. That's like comparing a rapist with someone taking a second glance at someone they find attractive.

Unfortunately, a huge percentage of phishing is due to unfortunate Microsoft design decisions that they don't want to reverse. The "you can click on anything, even though it's not actually a URL" and the "we don't actually clearly show the contents of clickable links" decsions in Internet Explorer are key to many phishing scams. And pursuing a few easily prosecuted phishers does nothing to actually reduce phishing: it's easy publicity, but phishing is just too darned easy and too difficult to prosecute.

Is that with phishing there is a victim, with copyright infringement there really isn't. Phishing is akin to robbery or assault in terms of crimes. It causes direct harm to a person through the commission of the crime. Copyright infringement is a crime along the lines of speeding or smoking marijuana, while there's perhaps some potential harm, there's no direct harm. With copyright infringement nothing is lost but a potential sale. Sure, if someone copies an album they might not buy it, but then they might

I'm glad you personally watched all of these 129 cases go down and that you found all of them to be genuine phishers. How many teenagers are capable of setting up phishing scams?

In 98 of the cases it was a criminal case. In the remaining cases the culprits had no existing record and were teenagers, so they chose not to pursue criminal cases. Sorry, but it sounds like they let them off easy.

It's the 'settling out of court' that sounds suspicious to me. Why wouldn't Microsoft drive them into the ground like y

I apologize for not blindly accepting this story as complete 100% truth. Forgive my skepticism.

Maybe next time you want someone to take you seriously, you shouldn't compare downloading music to phishing, because that's the sort of thing that makes people think you're either too stupid to realize the difference, or simply resorting to grandstanding in order to try to make people think you're far more clever than you actually are.

Are you kidding? Teenagers are capable of quite a lot you know, and teenagers are absolutely capable of criminal actions, especially when it's nothing more than sending out some emails against a template site: This really isn't the pinnacle of criminal enterprises.

if you can provide some first party accounts of every case, I'll gladly consider myself a dumbass for using that comparison in the submission

Okay, maybe I'm dense. How do you force someone to settle out of court? Can you explain, please?

Your lawyers convince them that they'll lose -- or even that they *might* lose, and if they do it will ruin them. If you have good lawyers, and particularly if your victim does not, this isn't that hard.

That's it. Your victim agrees to pay you $X (or whatever other conditions you get him to agree to) and in exchange you drop your lawsuit. A judge never evaluates it.

FIrst off, how do you know they were phishing? I think his point was that they may ahve been accused of it and it was just cheaper to settle out of court then to defend themselves.

They are not guilty until a court says so.

Also, Jail is a bad place to put a teenager, and it is counter productive for society. It si better to give them a on jail sentence, and then remove it from there record after it has been served. Too many kids do stupid things just because they are kids. It does society no good to let a stupid act ruin someones future.

I did something stupid with computers in the 80's. If I ahd gone to fail I can't imagine I wuld be able to get a job today that pays well, and it turn puts more taxes into the system.

And please do not rebut with "so if they killed someone..." argument. We are talking about a non violent crime here. Keep it in proportion.

Finally, most 'evidence' of this nature points to an ip address, not a person. Something that must be dealt with carefully.

while I agree that their guilt should be 100% proven, if they are phishing and found guilty then so be it. They are purposefully going after individual people and trying to defraud them of their hard earned money. Which, as silly as it sounds, I find different than someone innocently downloading music and defrauding massive studios of their not-so-hard-earned money.
Teens or no teens if you want to try to steal money from me, fucking rights I'm all over charging you with a crime. I did stupid things wit

Would feel differently about a teenager who attempted to defraud people of their money in person as opposed to via the web? What is the difference? What if they were adults instead of teenagers? They are trying to con people for their own enrichment. They should get the same punishment no matter what medium they use for their crime.

While criminal complaints are aimed at what Microsoft believes to be real criminals, the civil lawsuits are aimed mainly at young people without criminal intent. For them, settlements of 1,000 to 2,000 euros ($1,290-$2,570) are deemed to be enough of a deterrent, Microsoft said.

Those are much smaller settlements than the RIAA is asking for, and I dare say that they either don't cover, or barely cover the legal fees that Microsoft incurs from these actions.

This doesn't look at all like the kind of profit-making enterprise the RIAA is engaging in. Rather, it looks like MS is trying to deter criminals and criminals-in-training from ripping people off.

Of course, they are doing it for their own business reasons. It makes them look bad when people get scammed because of security vulnerabilities in IE. But I don't see how you can draw an evil motivation out of it.

The statement that people are reacting to is "... the civil lawsuits are aimed mainly at young people without criminal intent." But you have to ask yourself, who's the author, what their bias, andy how did they decide that these young people DON'T have criminal intent. I didn't read anything to substantiate the author's statement.

how did they decide that these young people DON'T have criminal intent

I have no idea. I think it's quite clear from the comments that have been posted here that there was very malicious criminal intent and that nobody could possibly have been wrongly accused. If so many people come to the same conclusion, why does it matter how much they know about the situation?

I forwarded a couple of "You have won the Microsoft Lottery" 419 scams to their abuse address but they don't appear to be interested.I get a reply that I should contact the local police. As if I would be interested to waste my time.It is *their* name that gets abused, and I help them by forwarding scam mails they can use as evidence, but that is all the effort I am going to make.

Not to me. Filesharing doesn't impact me personally, nor likely the poor starving recording artists who aren't going to get their money whether or not the RIAA and the record companies actually collect it.

Pishing crimes are far worse on my personal scale of the sewer that the Internet has become, and anything that makes those criminals suffer is a Good Thing.

IF there is something worse than a monopoly then it's a vigilante corporation.So if you think it's bad Microsoft is now policing the net, well did you know thatthe _SCUM_ behind your friendly TARGET store may well someday hold a cold barrelto the back of your neck?>>> Retailer Target branches out into police work

.... I have to admit that when it comes to crime, they done a few good things for the universe. The best thing I can think of is besides the topics covered in this article CETS which is a Microsoft designed product to fight child pron/exploitation.

Title group: Microsoft launches new Anti-linux propogandaInflamatory index: 23Stories show high incidence of anti-microsoft sentiment and pro-linux stories. There is a high degree of correlation in past stories, leading to ideas that it's been rehashed too often. This may lead to a high level of "I've seen this damn story before" posts by readers. However, due to the extreme number of this type of post, index is relatively low as topic is had reached the "JonKatz" threshold of repitition, and most readers will probably ignore it.

Would you like me to run an accuracy scan index on the articles to see if this article group may be true?

Zonk: nono I don't care about that, continue with report.

Computer: Continuing with report:Title group: Microsoft assists in anti-phishing effortsInflamatory index: 67Stories show low incidence of Anti-microsoft sentiment and no pro linux sentiment. Articles appear to case MS in a good light. All factors lead to low inflamatory index except for one. One or more articles express anti-RIAA/MPAA sentiment for no particular reason. Existance of extreme, unwarranted attempt to link article to RIAA/MPAA leads to incredibly high index.

Zonk: hot damn! Scan all submissions and run inflamatory index on each submission. List submission with highest chance of "WTF this is nothing like the RIAA/MPAA."

Computer: Article returned: "The Long Arm of Microsoft."

Zonk: Sweet! Computer post at 11:53 AM with no additions or changes. Open up T1 lines 4 and 7 to accomodate the extra connections and prepare the fire supression systems. That will phish a good number of comments and help us get our hits up for the day.

And that, ladies and gentleman, is how and why slashdot posts articles with stupidity like that RIAA comment

At first, I was reading your explination, and I thought, "Hey, this sounds plausible. This probably is close to correct". Then, I remembered that Slashdot is still running MySQL, and goes down more than a Republican hooker in Washington, DC. So, I think that your premise is plausable, but only if there were some real technical expertise over at the Slashdot offices.

...is when I blocked a range of IP addresses in Shanghai, my phishing attacks dropped dramatically. Unless MSFT can set up an enforcement shop in China, which would be a pay-per-view event all on its own, then the worst of the lot is going to keep operating.

Whatever else MSFT can do to help phishing and spam...more power to them. Seems like a largely token effort. A PR project more than any real attempt at policing the internet.

If I was going to fight Redmond on anything it would be their crapass EUL

"... but teenagers settling out of court? That reeks of RIAA/MPAA tactics to me."Why? What would you do if you found a teenage phisher? Just say "oh, it's a bad thing to try to con people out of their life savings but... it's a kid... Let's just tell him "no, no, no" and let it go at that... I hope he hasn't ruined too many lives..."

Give me a break! Not only does this NOT "reek" or RIAA/MPAA there isn't even a scent. Being a teenager isn't a get out of jail/juvi free card! Their still are consequence